Your Health Information Isn’t Secure But Don’t Blame EHRs

There’s a lot of talk about the risks of storing health information in electronic medical records (EMRs). But, EMRs aren’t the problem. Those consent forms you sign at the doctor’s office… yeah, you should pay attention to the fine print. You may be giving permission to insurance companies, drug makers, and data aggregators to access your health information, regardless of how or where it’s stored. Sorry to get all sour grapes, but we just want to set the record straight. Here’s what you need to know about who can see your health information, how they can legally use it, and what you can do to protect yourself.

Your Doctor Isn’t the Only Person Who Knows Your Diagnosis

Have you heard of the Medical Information Bureau (MIB)? What about IntelliScript and MedPoint? These organizations, among others, build databases of Americans’ private medical information and sell it to other companies (MIB, a non-profit, only provides the information to its members). It’s perfectly legal. But, ethical? Well, you decide.

Data aggregators track down diagnoses codes, lab data, and prescriptions from databases such as those kept by pharmacy benefit managers. The data is later sold to health and life insurance companies to assess the risk of writing a policy. In other words, they can use it to determine rates, or possibly deny you service. However, we should point out that the MIB uses proprietary codes and only receives this information from member companies. The codes are “brief resumes” that act as “red flags” about a particular medical impairment or risk to a patient’s mortality or morbidity. MIB members aren’t supposed to make underwriting decisions based solely on a code.

Some of these organizations even perform analysis for insurance companies. For example, IntelliScript from Milliman provides insurers with drug profiles of patients. In each patient profile, they assign color codes to a drug – red, yellow, or green – in order to indicate its risk factor. Red means risk. It could be used to spotlight drugs for serious illnesses like cancer or AIDS.

Resolution of Disapproval in Supreme Court Decision in Sorrell v. IMS Health Case

Lawmaker, author of health privacy protections in economic recovery act, declares privacy rights of doctors, patients should trump commercial interests

WASHINGTON, D.C. – On Friday July 8, 2011, Congressman Edward J. Markey (D-Mass.), co-chairman of the Congressional Bi-Partisan Privacy Caucus and senior member of the House Energy and Commerce Committee, introduced H.Res. 343, a resolution expressing disapproval of the recent Supreme Court decision in Sorrell v. IMS Health. In its decision, the Court struck down a Vermont state law that banned the sale of doctors’ drug prescriptions records if the records are used for commercial purposes without the doctors’ permission.

Rep. Markey’s resolution states that the Court erred in applying free speech protections to a Vermont law that lawfully regulated a purely commercial interest. Before the Vermont law was enacted, data-mining companies would purchase information about doctors’ prescription drug information from pharmacies and then resell the data to pharmaceutical companies. The pharmaceutical companies could use the information – without the doctors’ consent – for the commercial purpose of targeting their sales messages and marketing more expensive, brand-name drugs to physicians.

“In this case, the Supreme Court tipped the scales of justice in favor of big drug companies at the expense of patients and their doctors,” said Rep. Markey. “The privacy of the doctor-patient relationship should outweigh the ability of pharmaceutical companies to mine data simply so they can market expensive drugs to providers and reap huge profits. States should be able to regulate pharmaceutical companies in a way that protects the privacy of their residents and prevents pharmaceutical companies from having undue influence on doctors’ prescribing habits.”

Dissenting in the Supreme Court’s 6-3 decision, Justice Stephen Breyer wrote that the Vermont state law in question “adversely affects expression in one, and only one way. It deprives pharmaceutical and data-mining companies of data…that could help pharmaceutical companies create better sales messages.” The dissent, which was joined by Justices Ruth Bader Ginsburg and Elena Kagan, stated that the Vermont statute is a “lawful governmental effort to regulate a commercial enterprise…The far stricter, specially ‘heightened’ First Amendment standards that the majority would apply to this instance of commercial regulation are out of place here.”

Dr. Deborah Peel, a national health privacy expert and founder of the non-profit Patient Privacy Rights, praised the Markey resolution. “With a Supreme Court that stands up for the interests of pharmaceutical companies, it’s reassuring to know that Congressman Markey is looking out for patients and doctors who value the privacy of their prescription drug information.”

Text of the resolution can be found HERE.

Baby’s death spotlights safety risks linked to computerized systems

Check out this very relavant story from the Chicago Tribune Health section, “Baby’s death spotlights safety risks linked to computerized systems,” written by Judith Graham and Cynthia Dizikes.

As a topic discussed a lot in Session 3.2 of the Health Privacy Summit, “Control of patient information – Health Information Exchanges,” this subject is the tip of the iceberg on the many risks of electronic health records that must be addressed as billions of stimulus dollars go into creating a health IT infrastructure.

Baby’s death spotlights safety risks linked to computerized systems, Chicago Tribune, by Judith Graham and Cynthia Dizikes, June 27, 2011

Hospitals Wary of Hackers Seek Insurance from AIG

Bloomberg News aired a segment on the rising threat of electronic health information systems to patient privacy and tapped Jim Pyles, an expert from the first health privacy summit to speak.  He pointed out that the lack of adequate health data security, the ability to breach thousands or millions of records simultaneously, and the value of health data on black market as key causes of the growing number of reported health data breaches.

View the video here.

Synopsis: Doctors and hospitals adopting electronic patient records under a U.S. government program are exploring insurance policies to help cover the costs of medical-data breaches. Data breaches cost U.S. hospitals $12 billion over the past two years, according to a study by the Poneman Institute. Bloomberg’s Megan Hughes reports on “InBusiness with Margaret Brennan.”

Re: Web site helps people profit from information collected about them

See the new story in the Washington Post by Thomas Heath: Web site helps people profit from information collected about them

A new technology called “Personal” allows people to control some their personal information and monetize it themselves.   A technology like “Personal” could give us control over our personal health data, which is constantly being “monetized” today without our consent and sold for uses that have nothing to do with improving our health.

“Personal” is betting that data we enter about ourselves and our product preferences will be very attractive to corporations that want to know us and/or sell to us. Today corporations use and sell whatever information they can scavenge about us online.

Similarly, sensitive health data that we control and release will be FAR more valuable to our doctors, researchers, and marketers because we have checked it for accuracy and completeness.  No one has quite the same motivation to ensure the accuracy and completeness of our health data as we do: it’s literally a matter of life and death.

Here is the business model “Personal” uses:

  • “if you mon­etize your data (Personal doesn’t like the word “sell”) through commercial activities with companies that want to buy it. Personal wants to be your “agent,” collecting a 10 percent fee on the compensation you receive each time you monetize your data.
  • EXAMPLE:  “So if I were a user of Personal, I could fill in the data fields in my “gem” on travel preferences for my trip to Stockholm this summer. I would release the information to Stockholm hotels, which could compete for my business based on my preferences for a clubby hotel bar, delicious breakfasts, a king-size bed and access to running trails. If a hotel gave me a discount or cash payment, Personal would collect a 10 percent fee.”

JUST LIKE in today’s electronic healthcare systems where we are powerless to stop the theft and sale of health data, “Personal can’t stop companies and others from scavenging data by tracking your online activities. It does, however, “give you the tools to monetize your data, but only if you want to,” Green said.”

“Personal’s” model of individual control over personal data could work very well with sensitive health data—–giving us choices, like NOT selling anything at all. But, Granny could sell some of her health information to afford her medications.  Or Dad could sell some of his data for research to afford treatment.

At a time when healthcare is not affordable for so many people, why should hospitals, pharmacies, doctors, labs, health IT and HIE vendors, prescription data mining corporations, insurers, transcription companies, data warehouses, states like Texas, digital devices, cell phone corporations and innumerable others be able to sell and “monetize” health data, instead of patients?

Many are concerned that if patients can monetize their data, poor and vulnerable people will give up privacy for money and the rich won’t need to. But how moral is the current system where corporations secretly profit from health information about the poor and rich alike?

To date, federal and state laws designed to prevent the sale of our protected health information have not been implemented or enforced. Congress and the states intended to stop the sales of health data without consent, but industry lobbies have effectively prevented the laws from working.

When was the last time your pharmacy asked if they could sell your prescription details? All US pharmacies sell everyone’s prescription records every night. See: http://patientprivacyrights.org/consumers/campaign-for-perscription-privacy/

Don’t bet on knowing your records’ whereabouts

Joseph Conn with ModernHealthcare.com wrote about the Health Privacy Summit in the IT Everything blog. You can read the full article here: Don’t bet on knowing your records’ whereabouts

“Do you know where your electronic health information is tonight?

Here’s a reader challenge: I’ll pay $10 to the first adult who has had at least five encounters with the private-sector healthcare system in the past 10 years to come up with a complete map of where all his or her electronic health records have traveled, who has seen them and where they are now.

I feel my money is safe in my pocket, and here’s why:

First, I’ve been covering health IT for nearly 11 years, and there is no system I know in this country that can completely track the whereabouts of someone’s electronic health information.

Second, there are no laws or incentives to induce complete tracking of a patient’s records.

And yet, patients ought to have access to just such a record map, according to health IT and privacy experts participating in the first Health Privacy Summit Monday in Washington. The daylong conference was put together by Patient Privacy Rights and the Lyndon B. Johnson School of Public Affairs at the University of Texas, Austin…”

Report from first health care privacy conference

Andy Oram, editor at O’Reilly Media, was also a Rapporteur and part of the Planning Committee for the First International Summit on the Future of Health Privacy.

You can view his recap and thoughts from the Summit here: Report from first health care privacy conference

Strange that a conference on health privacy has never been held before, so I’m told. Privacy in health care is the first topic raised whenever someone talks about electronic health records–and dominates the discussion from then on–or, on the other hand, is dismissed as an overblown concern not worthy of criticism. But today a conference was held on the subject, prepared by Patient Privacy Rights and the University of Texas’s Lyndon B. Johnson School of Public Affairs, and held just a few blocks from the Capitol building at the Georgetown Law Center as a pre-conference to the August Computers, Freedom & Privacy conference.

PPR Founder Nominated again for 100 Most Influential

For the 5th year in a row, PPR founder and chair, Deborah C. Peel, MD, has been nominated to be on Modern Healthcare’s list of the 100 Most Influential People in Healthcare.  More than 414,000 nominations were received from April 4 through May 6, and the ballot of 300 candidates is based on those nominations.

Dr. Peel debuted on this prestigious list in 2007 as the 4th most powerful person in healthcare. They changed the list from the “most powerful” to “the most influential,” which suits our situation even better. Patient Privacy Rights is not the “Most Powerful” in the healthcare industry, however we are extremely influential. Over the past few years we have had a huge impact on health care, health IT, and your health privacy. We not only got new ground breaking privacy protections into the stimulus bill, but are still working today to follow up with those regulations and ensure they are implemented properly. Dr. Peel has traveled world wide to discuss the health care situation here in the United States, and how important privacy is. In the last year she has testified before the Health IT Policy Committee as well as the President’s Council of Advisors on Science and Technology.

We are working every day to influence lawmakers, health IT vendors and industry, insurers, doctors, patients, and more to hold privacy as a priority. Help us make it clear to those deciding your future, that in order to move ahead we must put privacy at the front of the line! Vote for Deborah Peel.

You can view a full list of the 300 candidates with their titles and affiliations here.

Please take a moment and vote for Deborah Peel to keep privacy a priority.

Press Release for Health Privacy Summit 2011

View as a PDF

FOR IMMEDIATE RELEASE

LBJ School of Public Affairs and Patient Privacy Rights Foundation to Co-Host
Inaugural International Summit on Health Privacy June 13 in Washington, D.C.

“Getting IT Right: Protecting Patient Privacy in a Wired World” to Look at the
Fundamental Role of a Patient’s Right to Privacy in Health Information Technology

AUSTIN, Texas, May 11, 2011 – The Lyndon B. Johnson School of Public Affairs and the Patient Privacy Rights Foundation will co-host the nation’s first public summit to discuss the future of health privacy in the digital age. “Getting IT Right: Protecting Patient Privacy in a Wired World” will be held on June 13, 2011 at the Georgetown Law Center in Washington, D.C. The event is the first in a planned series of forums on this theme and coincides with the creation of the U.S. government’s plan for a new health information technology (HIT) infrastructure, which will collect personal health information. For agenda and registration information, visit: http://www.healthprivacysummit.org/

The summit will be interactive and audience members will be expected to contribute questions to panels and participate in work groups to identify urgent health privacy needs, along with the immediate steps needed to deliver responsible and realistic solutions.

Deborah C. Peel, MD, chair of the board of directors of Patient Privacy Rights, Summit co-host, explained, “The goal of the summit is to create the world’s premier public forum on health privacy issues by uniting a ‘brain trust’ of experts – academics, advocates, government, health care, and those in the technology field – who are willing to work together to ensure health privacy is a center-piece of U.S. health care system reforms. We’re very pleased with the response to the Summit, from panelists and speakers to sponsors, which no doubt speaks to the importance and urgency of these issues today and into the future.”

Whether or not the new HIT infrastructure will afford individuals proper control over the sharing of their personal health information is the key issue that will be addressed. Benedicte Callan, Sid Richardson Fellow of health innovation and policy at the LBJ School, feels that the United States is reaching a crossroads in patient privacy with the creation of the HIT infrastructure.

“Designed well, this digital health information system could be the foundation for a more efficient 21st Century health care system,” said Callan. “It could lower costs, make care more safe and effective while leading to new treatments by benefiting research. But without proper protections built in up front, the HIT system could compromise the fundamental rights of citizens to protect their most sensitive personal health information.”

In summation, “The LBJ School has been preparing leaders for 40 years to help find innovative solutions to the most complex public policy issues and challenges of our modern world,” said Robert Hutchings, Dean of the LBJ School of Public Affairs. “Therefore, we see it as critically important to engage in this issue on every level—local, state, national, international—through research and collaborative partnerships in conferences such as this one. We are especially pleased to join with Patient Privacy Rights and with the other conference participants on working together towards solutions to one of the greatest privacy challenges of our time.”

The Lyndon B. Johnson School of Public Affairs is a graduate component of The University of Texas at Austin. The School’s mission is to develop leaders and innovative ideas that will help our state, the nation and the international community address critical public policy challenges in an ever increasingly interconnected and interdependent world.

Patient Privacy Rights is the nation’s leading health privacy watchdog and leading consumer voice for building ethical, trustworthy HIT systems. For more information, visit: http://patientprivacyrights.org/.

Major sponsors to date include: Microsoft, Jericho Systems, ID Experts, e-MDs, Inc., and Medical Research and Materiel Command, Telemedicine and Advanced Technology Research Center at the U.S. Department of Defense.

###

Interview: Protecting patient privacy rights in a wired world

In this podcast, Andy Oram interviews Dr. Deborah Peel of the Patient Privacy Rights Coalition about Getting IT Right: Protecting Patient Privacy Rights in a Wired World, a preconference to be held in conjunction with the illustrious Computers, Freedom, and Privacy conference this year.

Listen to the Interview here

Topics covered in the interview include:

  • The evolution of patient privacy.
  • Weaknesses in the current privacy regime for health care.
  • Goals, structure, and intended outcomes for the conference.
  • A look at featured speakers and attendees, including: Joy Pritts, ONC, Chief Privacy Officer; Jessica Rich, Deputy Director, FTC Bureau of Consumer Protection; Stephania Griffin, VHA Privacy Officer; AZ Senator Nancy Barto, Chairman of the Senate Healthcare and Medical Liability Reform Committee; Stephanie Perrin, Canadian privacy expert; Ross Anderson, Cambridge University, UK; Latanya Sweeney, Harvard, MIT, Carnegie Mellon; Helen Nissenbaum , Professor of Media, Culture and Communication, and Computer Science, New York University; Lee Tien, EFF.

Related links:

Listen to the O’Reilly Interview on Health Privacy Summit with Deborah Peel